From: Raviteja Cherughattu <rc835m@att.com>
Date: Wed, 27 May 2020 17:08:55 +0000 (-0500)
Subject: Medium Vulnerabilities CodeFix: 1. URL Redirection 2. AAF-1111
X-Git-Tag: 2.7.0~9
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=commitdiff_plain;h=16c3995a89892b1dad4dab7df0f6200ac8b09f92

Medium Vulnerabilities CodeFix: 1. URL Redirection 2. AAF-1111

Issue-ID: AAF-1115
Change-Id: I05d8d7a19236ad476d2a37b51a6c4a84ba2b8546
Signed-off-by: Raviteja Cherughattu <rc835m@att.com>
---

diff --git a/auth/auth-cmd/pom.xml b/auth/auth-cmd/pom.xml
index 7133a5b1..01ec4ec9 100644
--- a/auth/auth-cmd/pom.xml
+++ b/auth/auth-cmd/pom.xml
@@ -178,7 +178,11 @@
             <artifactId>jline</artifactId>
             <version>2.14.2</version>
         </dependency>
-
+        <dependency>		
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>
     </dependencies>
 
     <distributionManagement>
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
index 0ae4ce99..40616abc 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
@@ -54,6 +54,7 @@ import aaf.v2_0.History;
 import aaf.v2_0.History.Item;
 import aaf.v2_0.Request;
 
+import org.owasp.encoder.Encode;
 
 public abstract class Cmd {
     // Sonar claims DateFormat is not thread safe.  Leave as Instance Variable.
@@ -272,7 +273,7 @@ public abstract class Cmd {
             sb.append(", ");
             sb.append(desc);
         }
-        pw().println(sb);
+        pw().println(Encode.forJava(sb.toString()));
     }
 
 
diff --git a/auth/auth-core/pom.xml b/auth/auth-core/pom.xml
index 884ecbe3..972b12cb 100644
--- a/auth/auth-core/pom.xml
+++ b/auth/auth-core/pom.xml
@@ -107,6 +107,11 @@
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-log4j12</artifactId>
         </dependency>
+        <dependency>		
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>
     </dependencies>
     
     <build>
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
index cdda50db..b342c428 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
@@ -53,6 +53,7 @@ import org.onap.aaf.misc.env.EnvJAXB;
 import org.onap.aaf.misc.env.LogTarget;
 import org.onap.aaf.misc.env.Store;
 import org.onap.aaf.misc.env.Trans;
+import org.owasp.encoder.Encode;
 /*
  * CachingFileAccess
  *
@@ -429,9 +430,9 @@ public class CachingFileAccess<TRANS extends Trans> extends HttpCode<TRANS, Void
                     w.append(name);
                     w.append('/');
                 }
-                w.append(f.getName());
+                w.append(Encode.forJava(f.getName()));
                 w.append("\">");
-                w.append(f.getName());
+                w.append(Encode.forJava(f.getName()));
                 w.append("</a></li>\n");
             }
             w.append(F);
diff --git a/auth/auth-fs/pom.xml b/auth/auth-fs/pom.xml
index 39cb03b8..943c1082 100644
--- a/auth/auth-fs/pom.xml
+++ b/auth/auth-fs/pom.xml
@@ -76,6 +76,16 @@
             <groupId>org.onap.aaf.authz</groupId>
             <artifactId>aaf-cadi-core</artifactId>
         </dependency>
+         <dependency>	
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>	
+		<dependency>	
+            <groupId>org.owasp.esapi</groupId>	
+			<artifactId>esapi</artifactId>	
+			<version>2.0.1</version>	
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java
index 64d93539..fdedd6bc 100644
--- a/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java
+++ b/auth/auth-fs/src/main/java/org/onap/aaf/auth/fs/AAF_FS.java
@@ -45,7 +45,7 @@ import org.onap.aaf.cadi.config.Config;
 import org.onap.aaf.cadi.register.Registrant;
 import org.onap.aaf.cadi.register.RemoteRegistrant;
 
-
+import org.owasp.esapi.reference.DefaultHTTPUtilities;
 
 public class AAF_FS extends AbsService<AuthzEnv, AuthzTrans>  {
 
@@ -82,7 +82,8 @@ public class AAF_FS extends AbsService<AuthzEnv, AuthzTrans>  {
         @Override
         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
             trans.info().printf("Redirecting %s to HTTP/S %s", req.getRemoteAddr(), req.getLocalAddr());
-            resp.sendRedirect(url);
+            DefaultHTTPUtilities util = new DefaultHTTPUtilities();        	
+            util.sendRedirect(url);
         }
     };
 
diff --git a/auth/auth-hello/pom.xml b/auth/auth-hello/pom.xml
index 11971e0d..f9a420f9 100644
--- a/auth/auth-hello/pom.xml
+++ b/auth/auth-hello/pom.xml
@@ -55,7 +55,12 @@
             <groupId>org.onap.aaf.authz</groupId>
             <artifactId>aaf-cadi-aaf</artifactId>
         </dependency>
-
+		<dependency>		
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>
+		
     </dependencies>
 
     <build>
diff --git a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
index 4ffb1787..cdaa6a76 100644
--- a/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
+++ b/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/API_Hello.java
@@ -35,6 +35,8 @@ import org.onap.aaf.auth.rserv.HttpMethods;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 
+import org.owasp.encoder.Encode;
+
 /**
  * API Apis
  * @author Jonathan
@@ -70,7 +72,7 @@ public class API_Hello {
                 String perm = pathParam(req, "perm");
                 if (perm!=null && perm.length()>0) {
                     os.print('(');
-                    os.print(req.getUserPrincipal().getName());
+                    os.print(Encode.forJava(req.getUserPrincipal().getName()));
                     TimeTaken tt = trans.start("Authorize perm", Env.REMOTE);
                     try {
                         if (req.isUserInRole(perm)) {
@@ -82,7 +84,7 @@ public class API_Hello {
                         tt.done();
                     }
                     os.print("Permission: ");
-                    os.print(perm);
+                    os.print(Encode.forJava(perm));
                     os.print(')');
                 }
                 os.println();
@@ -144,7 +146,7 @@ public class API_Hello {
                 }
                 sb.append("}");
                 ServletOutputStream os = resp.getOutputStream();
-                os.println(sb.toString());
+                os.println(Encode.forJava(sb.toString()));
                 trans.info().printf("Said 'RESTful Hello' to %s, Authentication type: %s",trans.getUserPrincipal().getName(),trans.getUserPrincipal().getClass().getSimpleName());
             }
         },APPLICATION_JSON);
@@ -164,7 +166,7 @@ public class API_Hello {
                 trans.info().printf("Content from %s: %s\n", pathParam(req, ":id"),content);
                 if (content.startsWith("{") && content.endsWith("}")) {
                     resp.setStatus(200 /* OK */);
-                    resp.getOutputStream().print(content);
+                    resp.getOutputStream().print(Encode.forJava(content));
                 } else {
                     resp.getOutputStream().write(NOT_JSON);
                     resp.setStatus(406);
diff --git a/auth/auth-locate/pom.xml b/auth/auth-locate/pom.xml
index 2b6568bf..36585989 100644
--- a/auth/auth-locate/pom.xml
+++ b/auth/auth-locate/pom.xml
@@ -78,6 +78,17 @@
             <groupId>org.onap.aaf.authz</groupId>
             <artifactId>aaf-misc-rosetta</artifactId>
         </dependency>
+        <dependency>		
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>
+		<dependency>	
+            <groupId>org.owasp.esapi</groupId>	
+			<artifactId>esapi</artifactId>	
+			<version>2.0.1</version>	
+        </dependency>
+        
     </dependencies>
 
     <build>
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java
index 36a987e5..7b23c89c 100644
--- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/api/API_AAFAccess.java
@@ -53,6 +53,9 @@ import org.onap.aaf.cadi.client.Retryable;
 import org.onap.aaf.misc.env.APIException;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
+import org.owasp.esapi.errors.AccessControlException;
+import org.owasp.esapi.reference.DefaultHTTPUtilities;
+import org.owasp.encoder.Encode;
 
 public class API_AAFAccess {
 //    private static String service, version, envContext;
@@ -104,7 +107,7 @@ public class API_AAFAccess {
                                         ServletOutputStream sos;
                                         try {
                                             sos = resp.getOutputStream();
-                                            sos.print(fp.value);
+                                            sos.print(Encode.forJava(fp.value));
                                         } catch (IOException e) {
                                             throw new CadiException(e);
                                         }
@@ -122,7 +125,7 @@ public class API_AAFAccess {
                         User u = (User)d.data.get(0);
                         resp.setStatus(u.code);
                         ServletOutputStream sos = resp.getOutputStream();
-                        sos.print(u.resp);
+                        sos.print(Encode.forJava(u.resp));
                     }
                 } finally {
                     tt.done();
@@ -256,7 +259,7 @@ public class API_AAFAccess {
         });
     }
 
-    private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator<URI> loc, String path) throws IOException {
+    private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator<URI> loc, String path) throws IOException, AccessControlException {
         try {
             if (loc.hasItems()) {
                 Item item = loc.best();
@@ -270,7 +273,9 @@ public class API_AAFAccess {
                     redirectURL.append(str);
                 }
                 trans.info().log("Redirect to",redirectURL);
-                resp.sendRedirect(redirectURL.toString());
+                DefaultHTTPUtilities util = new DefaultHTTPUtilities();            	
+                util.sendRedirect(redirectURL.toString());                
+                //resp.sendRedirect(redirectURL.toString());
             } else {
                 context.error(trans, resp, Result.err(Result.ERR_NotFound,"No Locations found for redirection"));
             }
diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java
index 67107088..047663c3 100644
--- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java
+++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/facade/LocateFacadeImpl.java
@@ -59,6 +59,7 @@ import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 import org.onap.aaf.misc.rosetta.env.RosettaDF;
 import org.onap.aaf.misc.rosetta.env.RosettaData;
+import org.owasp.encoder.Encode;
 
 import locate_local.v1_0.Api;
 
@@ -266,7 +267,7 @@ public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURA
         TimeTaken tt = trans.start(API_EXAMPLE, Env.SUB);
         try {
             String content =Examples.print(apiDF.getEnv(), nameOrContentType, optional);
-            resp.getOutputStream().print(content);
+            resp.getOutputStream().print(Encode.forJava(content));
             setContentType(resp,content.contains("<?xml")?TYPE.XML:TYPE.JSON);
             return Result.ok();
         } catch (Exception e) {
@@ -311,7 +312,7 @@ public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURA
                     }
                 }
             }
-            resp.getOutputStream().println(output);
+            resp.getOutputStream().println(Encode.forJava(output));
             setContentType(resp,epDF.getOutType());
             return Result.ok();
         } catch (Exception e) {
diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java
index c7b2605f..898b99c9 100644
--- a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java
+++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java
@@ -47,7 +47,7 @@ import org.onap.aaf.misc.env.Data;
 import org.onap.aaf.misc.env.Data.TYPE;
 import org.onap.aaf.misc.env.util.Pool.Pooled;
 import org.onap.aaf.misc.rosetta.env.RosettaDF;
-
+import org.owasp.encoder.Encode;
 /**
  * Low Level Http Client Mechanism. Chances are, you want the high level "HRcli"
  * for Rosetta Object Translation
@@ -396,8 +396,10 @@ public class HClient implements EClient<HttpURLConnection> {
                     // reuse Buffers
                     Pooled<byte[]> pbuff = Rcli.buffPool.get();
                     try {
+                    	String strTemp;
                         while ((read=is.read(pbuff.content))>=0) {
-                            os.write(pbuff.content,0,read);
+                        	strTemp = new String(pbuff.content,0,read);                        	
+                        	os.write(Encode.forJava(strTemp).getBytes());
                         }
                     } finally {
                         pbuff.done();
@@ -412,8 +414,10 @@ public class HClient implements EClient<HttpURLConnection> {
                         errContent = new StringBuilder();
                         Pooled<byte[]> pbuff = Rcli.buffPool.get();
                         try {
+                        	String strTemp; 
                             while ((read=is.read(pbuff.content))>=0) {
-                                os.write(pbuff.content,0,read);
+                            	strTemp = new String(pbuff.content,0,read);                            	
+                            	os.write(Encode.forJava(strTemp).getBytes());
                             }
                         } finally {
                             pbuff.done();
diff --git a/misc/pom.xml b/misc/pom.xml
index 66851bc1..61d4f5d2 100644
--- a/misc/pom.xml
+++ b/misc/pom.xml
@@ -73,6 +73,12 @@
             <artifactId>junit</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>		
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>
+        
     </dependencies>
 
     <modules>
diff --git a/misc/xgen/pom.xml b/misc/xgen/pom.xml
index d24e8510..d4183fb9 100644
--- a/misc/xgen/pom.xml
+++ b/misc/xgen/pom.xml
@@ -78,6 +78,11 @@
             <artifactId>aaf-misc-env</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>		
+			<groupId>org.owasp.encoder</groupId>		
+			<artifactId>encoder</artifactId>		
+			<version>1.2.1</version>		
+		</dependency>        
     </dependencies>
     
     <!-- ============================================================== -->
diff --git a/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java b/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java
index 9f1f2a38..0d41bd9b 100644
--- a/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java
+++ b/misc/xgen/src/main/java/org/onap/aaf/misc/xgen/Section.java
@@ -28,6 +28,7 @@ import org.onap.aaf.misc.env.APIException;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.Trans;
 import org.onap.aaf.misc.xgen.html.State;
+import org.owasp.encoder.Encode;
 
 public class Section<G extends XGen<G>> {
     protected int indent;
@@ -48,11 +49,11 @@ public class Section<G extends XGen<G>> {
     }
 
     public void forward(Writer w) throws IOException {
-        w.write(forward);
+    	w.write(Encode.forJava(forward));
     }
     
     public void back(Writer w) throws IOException {
-        w.write(backward);
+    	w.write(Encode.forJava(backward));
     }
     
     public String toString() {